Credit reporting company Experian plc has suffered a new data breach, with the credit scores of almost every person in the U.S. exposed through an unprotected application programming interface.

Discovered and publicized April 28 by security researcher Bill Demirkapi, the breach involved a tool called the Experian Connect API that allows lenders to automate FICO-score queries. Demirkapi found while visiting one lender’s website that offered to check his loan eligibility that the code allowed him to invoke the Experian API with any authentication and pull up any person’s credit score.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security. “Experian should mandate nonpublic information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”

Demirkapi was also able to design a command-line tool to automate lookup which he rather interestingly called “Bill’s Cool Credit Score Lookup Utility.”

Although Experian has since shut down unauthorized access to the API, the concern is that the company may be using other APIs that could be exploited in a similar way. Whether it had been accessed by others is unknown.

Experian said in a statement provided to SiliconANGLE that it can confirm a “single, isolated instance involving a client website” that didn’t compromise any of Experian’s systems, including its API.

“While this did not compromise any of Experian’s systems, we take this matter very seriously,” the spokesperson said. “In fact, we continually work with our clients to review their processes and ensure data security best practices. In addition, we are constantly innovating to provide a secure environment to stay ahead of today’s increasingly sophisticated cyber criminals. This includes regularly monitoring for fraudulent activity, taking immediate and aggressive action to stop such activity when it is detected. Data security has always been, and always will be, our highest priority.”

“It’s not clear if this weakness was exploited by other attackers beyond the security researcher’s probing and disclosure,” Michael Isbitski, technical evangelist at API protection firm Salt Security Inc., told SiliconANGLE. “Experian confirmed only that they were able to uncover the security researcher’s activity in their backend logs after the problem was disclosed to them. An API that uses weak authentication like this could potentially be enumerated and scraped to obtain large amounts of the private, credit-related data.”

Hank Schless, senior manager, security solutions at mobile security solutions firm Lookout Inc., noted that the prominence of cloud-based services and technologies has created a massive ecosystem of interconnected services that help organizations of all types boost their business internally for employees and externally for customers.

“Integration between various apps and services can make the overall experience much more convenient and seamless for users,” Schless explained. “APIs, especially for large platforms like airlines or social media, are oftentimes made public so anyone can connect their service to those platforms. However, the convenience of integration shouldn’t put security on the back burner.”

The incident highlights how important it is to understand the security posture of all resources, Schless added. “In this particular case, that means vetting any third-party service you decide to integrate into your services or infrastructure,” he said. “When you integrate your services, there’s always the risk of an attacker getting to your data after initially breaching the partner service.”

Experian last suffered a data breach with the theft of data belonging to 15 million Americans in October 2015.

Photo: Experian Thailand